Patched User32 Virus Keeps coming back

Question:Patched User32 Virus Keeps coming back

I am having problems with the Patched User32 virus coming back to my system. It has some components that McAfee says it can't remove or repair. I have tried Adaware and MalWare Bytes and still have the problem. My computer also seems to be running slower now. Here is the log from the DDS software:

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

Please follow the instructions in the READ & RUN ME FIRST link given further down and attach the requested logs when you finish these instructions.

If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.TDSSserv Non-Plug & Play Driver Disable

If something does not run, write down the info to explain to us later but keep on going. Do not assume that because one step does not work that they all will not. READ & RUN ME FIRST. Malware Removal Guide

Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in Safe Mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.To avoid additional delay i... Read more

Welcome to the BleepingComputer Forums. Since it has been a few days since you scanned your computer with HijackThis, we will need a new HijackThis log. If you have not already downloaded Random's System Information Tool (RSIT), please download Random's System Information Tool (RSIT) by random/random which includes a HijackThis log and save it to your desktop. If you have RSIT already on your computer, please run it again. Double click on RSIT.exe to run RSIT. Click Continue at the disclaimer screen. Please post the contents of log.txt. Thank you for your patience.Please see Preparation Guide for use before posting about your potential Malware problem. If you have already posted this log at another forum or if you decide to seek help at another forum, please let us know. There is a shortage of helpers and taking the time of two volunteer helpers means that someone else may not be helped. Please post your HijackThis log as a reply to this thread and not as an attachment. I am always leery of opening attachments so I always request that HijackThis logs are to be posted as a reply to the thread. I do not think that you are attaching anything scary but others may do so. While we are working on your HijackThis log, please: Reply to this thread; do not start another! Do not make any changes on your computer during the cleaning process or download/add programs on your computer unless instructed to do so. Do not run any other tool until instruc... Read more

Got this worm popping up on my McAfee Scan I cannot got rid of -- Patched User32, aka W32.Mariofev. Found a couple things on Internet, how to get rid of it, but they don't seem to work. Would appreciate some help.

Answer:Patched User32 / W32.Mariofev

Hi, welcome to TSF!

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Hi all, Looking for some professional help on this tricky little bugger. Mcafee picked it up, norton didnt. upon looking in the system32 folder i found it had a user.dll.exe file which was worrying. the Mcafee is going off every minute with the same warning about the patched user32.dll. anyway please have a look and let me know your thoughts.I tried DDS but it just hangs on the black dos window for about 10 mins, root repeal crashed halfway through. i have included a hijack this log, i will reboot in safe mode and try rootrepeal again.EDIT I have managed to run Root Repeal and DDS i have attached all the logs.Thanks for any help.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:15:28, on 15/12/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\SCardSvr.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exeC... Read more

Answer:Patched User32.dll, Mcafee.

**BUMP** Any help? this is baffling me and i will need to wipe the PC if i cnt fix it.

My co-worker's computer picked up a bug last week. Mcafee can't get rid of the patched user32 file, but it did detect the marioforever.exe file. Every time I have mcafee remove the file, it's still there next time I run the av scan. I ran the DDS scan, and the gmer.exe, and here are the results. I attached the ark.txt results. How can I get rid of the patched user32 file? Thanks for any help!! Cheers, Holly
the DDS scan:

I'm a beginner using what had been my son's computer. McAfee found "Patched user32" but is unable to remove it. Well, it has forced me to learn how to copy and paste DDS.txt below and attach Attach.txt and ark.txt!
thanks for your help,
Diane

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

problems started December 20-somthing and I have been picking away at it. I have been waiting for help from techsupportforum but nothing in well over two weeks. I have followed various forum suggestions on cleaning cutwail and several other suspected troubles - frankly I have lost track of what I have tried and what I have read about. Symptoms follow those described around the mario-Worm like infections (nothing from mcafee or other scans indicating this by name...) MS office programs shutting down (just disapears from the screen...) after a few minutes or seconds of use.

I am following the original post from DG2007 (topic188071) and the solutions provided by rigel - I will do the dowloads and cleaning that seem to be straight forward but suspect I will need some help with from the HJT forum and ComboFix guru's.

thanks in advancemurph

Answer:zser32.tmp - Patched User32

Hi kdmurphy - welcome to BC!I know you are looking at the other topic, but let's try to work the problem from here. The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finis... Read more

I have posted the requested attachments including DDS (which I ran several times because it kept shutting down. I did not read the sticky saying NOT to run this until I gave up on getting what I thought might be a 'full' report...)

I have been poking at this for several days, mucking about in the registry deleting items (listed below) and renaming a few files since I did not know how to replace them if I deleted them. All based on varius forums from sources I researched a bit and decided I could trust...

removed from registry {per symantec(dot)com writeup}:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ip6fw
*did not find the 'Runtime' reference in the same path

HISTORY:
first symptom was computer shutting down so I checked Microsoft and McAfee for updates. a Microsoft update came in and a window poped up saying "Cutwail " and some details I could not read and did not fully record what I could read. I have not been able to re-create this window since. I went on-line to find ways to deal with this and read about lots of frustrated folks with more computer skills than me.

I ran sdat5477 - a super virus scanner from McAfee, have had the System Restore off most of this week and had DCOM Process Server on and off {this seems to be the last window to show up before shutting down: Generic Host Process.. Win32 Ser... Read more

Answer:cutwail? Patched User32?

please bump -

i did update McAfee last night (1/3) and ran a scan, deleted and quarantined as directed. this is the only solution posted on their website, this is the only change I have made

Hi there,McAfee is reporting different programs associated with the "Patched User32" malware on my Windows XP system. Unfortunately McAfee cannot remove them, but says they are quarantined. Nevertheless, even though they are "quarantined" McAffee keeps finding (at least a couple times a day) and quarantining the following:C:\WINDOWS\system32\dllcache\zuser.tmpC:\WINDOWS\system32\dllcache\user32.dllC:\WINDOWS\system32\dllcache\user32.dll.exeC:\WINDOWS\system32\user32.dllC:\WINDOWS\system32\user32.dll.exeC:\WINDOWS\system32\OLD159.tmpC:\System Volume Information\_restore{B9823275-D858-498B-A-4DC-C4EEDA322F67}\RP910\A0054767.exeC:\System Volume Information\_restore{B9823275-D858-498B-A-4DC-C4EEDA322F67}\RP921\A0057970.exeC:\System Volume Information\_restore{B9823275-D858-498B-A-4DC-C4EEDA322F67}\RP938\A0059212.exe

On a side note, Malwarebytes isn't detecting any of these issues.Any help would be greatly appreciated!

Below are the contents of the DDS.txt log (and I have attached two other logs):

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Hi, this is the first time I've posted here and I hope someone can help.I have a Dell Dimension 5000 running Windows XP (Version 2002, Service Pack 3) with McAfee Security Center.As best I can remember this is the sequence of events.I believe the problem was first noticed on 12/12/08 - Internet Explorer and Outlook closed and the PC froze. After rebooting, the taskbar icon showing the broadband connection had disappeared and a McAfee virus scan identified a potentially unwanted program 'Patched user32' - the option to remove was selected.Since then the PC intermittently runs slowly, applications close for no reason and the taskbar/Start button occasionally stops responding altogether. The McAfee virus scan has repeatedly reported the 'patched user32' and each time the remove option has been selected.Yesterday (28/12/08), after looking at the McAfee website and with a bit of assistance from a friend, the following files were thought to be the problem and deleted:c:\windows\system32\... zser32.tmp zmpyrik eop.e r33.es v1.e2 zed.pa kj.jec:\windows\system32\drivers\... atmapialthough we were unable to delete c:\windows\system32\nvaux32.dllMcAfee Security Center then reported the W32/Mariofev.worm and removed it, this also removed the nvaux32.dll.However, we were unable to replace the user32.dll with an uninfected one because the XP CD I have can only be used to reinstall the operating system and is not for reinstal... Read more

Answer:Patched user32.dll, W32/Mariofev.worm

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below a staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results, click no to the Optional_ScanFollow the instructions that pop up for posting the results.Close the program window, and delete the program from your desktop.Please note: You may have to disable ... Read more

I have McAfee SecurityCenter with At&t on my my computer, it detects the Patched User32, and when i remove it, the program comes back.
This program is really affecting my computer. It slows the computer down, gives me a lot pop-ups when i go on the computer, and it makes the internet really slow as well. A couple of months ago, I had the same problem, but I had to called McAfee and pay $84 just so they could resolve the issue, but I really dont want to pay to get this fixed. help?

Answer:How Do I Remove Patched User32 From My Windows XP?

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

I am new here. I have Patched USER32 reported by Mcafee scan. Mcafee also says that it cannot remove the virus completely. My computer is not down. But I do not know how long before that happens.

Thanks in advance.

-Venkat

Answer:Patched USER32 cant be removed by Mcafee

Hello and welcome please run these next. If you have Spybot installed temporarily disable it.Next run ATF:Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".Please download ATF Cleaner by Atribune & save it to your desktop.Double-click ATF-Cleaner.exe to run the program.Under Main "Select Files to Delete" choose: Select All.Click the Empty Selected button.If you use Firefox browser click Firefox at the top and choose: Select AllClick the Empty Selected button.If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browser click Opera at the top and choose: Select AllClick the Empty Selected button.If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.Next run MBAM (MalwareBytes):NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do ... Read more

My AVG resident shield picked up a trojan running every time an exe file was executed. Avg named the virus as

C:\WINDOWS\system32\USER32.dll Trojan horse Patched_c.BVY

I did a virus check on my user32.dll file on a web based virus checker and it confirmed

USER32.dll infected with Trojan.Win32.Patched.dr

I attempted to remove this with AVG which resulted in the user32.dll file being deleted, that sucked (As computer would no longer start). After getting a USB drive bootup going, I retrieved the file from the virus vault, which fixed the boot up problem but... I'm still infetced Ran spybot and picked a few things up. Ran HJT and here is the Log file:

HI!! this is great, I feel like I am making some progress! - I was sent from: http://www.bleepingcomputer.com/forums/t/194009/zser32tmp-patched-user32/battling this since 12/24 - MS Office applications suddenly shut down after a few seconds but less than minutes. McAfee Security Center 8.1 (provided by Comcast) keeps finding Patched User32 but does not seem to fix it.c:\windows\system32\user32.dll submitted to JOTTI:Avast Found Win32:SysPatch Dr.Web Found BackDoor.Zapinit F-Secure Anti-Virus Found Trojan.Win32.Patched.bb Kaspersky Anti-Virus Found Trojan.Win32.Patched.bb NOD32 Found Win32/Pinit Panda Antivirus Found W32/Patched.D Sophos Antivirus Found Troj/User32Hk-A VirusBuster Found Trojan.Patched.AP When I submitted c:\windows\system32\user32.dll to McAfee's threat center:--------------------------------------------AVERT Labs - BeavertonCurrent Scan Engine Version:5300.2777Current DAT Version:5494.0000Thank you for your submission.Analysis ID: 5069956Name Findings Detection Type Extra user32.dll current detection patched user32 Application no current detection [ user32.dll ]Our analysis detected a potentially unwanted program or joke program with our current DAT files and engine. It is recommended that you update your DAT and engine files and scan your computer again. If you are not seeing this with the product you are using, please speak with technical support so that t... Read more

Answer:Patched User32 - McAfee scan cant fix

Hello ,Welcome to Bleeping Computer.My name mas_pogi and I will be helping you with your Malware problem.As I am still in training I will be helping you under supervision of our expert teachers, so there may be a delay between posts.Attention!Please do not run any other tool untill instructed to do so.Please tell me about any problems that have occurred during the fix.Please tell me of any other symptoms you may be having as these can help also.Please try as much as possible not to run anything while executing a fix.Please reply to this thread, do not start another.You might want to save this page on your bookmark, so you can find it again when you return.Firefox: Then click on Done.IExplorer: Then click on Add.Stay calm and everything will be just alright.I will be analyzing your log. I will get back to you with instructions after it is approved.With Regards,mas_pogi

I read another post with same problem at this site. Moderator suggested starting with the below and i did as she told prior poster. I copied it so the new person would know what I have done. I am posting results of this scan below for moderator review and further instructions.

Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.Wh... Read more

Ok, I've never posted here before but I'm finally at my wit's end. I'm sorry if I leave something out or make little sense, I'm feeling very overwhelmed right now. I have a Dell Inspiron E1505. Windows XP. Prior to having this problem I had Spybot and McAfee AOL Edition on my laptop.Earlier this week I noticed some issues with my laptop after doing a restart - like while writing an email in Outlook the program just closed all on it's own. I restarted and about a half an hour later it closed again. That was my first hint that something was wrong. After I started having problems I ran a system restore. That seemed to help, things seemed back to normal, except when I tried to download Windows Defender it closed repeatedly while trying to install. Before going to bed I closed down my laptop again, and in the morning when I restarted it was having problems again. This time my Dell Wireless WLAN Card Utility icon was missing from the tool icon bar by the time and I couldn't connect wirelessly to the internet. **I ran a virus scan using McAfee AOL Edition and it found W32.Mariofev.worm - I chose the remove option for this. I ran Spybot and it found a few issues and "fixed" them. **I uninstalled my McAfee AOL Edition and installed Symantec, when I ran a scan it found several instances of Trojan.wimad, patched user32, and win32.Agent.icb. (I think, my memory is foggy now, sorry!)**I've since uninstalled and reinstalled Spybot ... Read more

Answer:Patched User32/zser32.tmp Problem

Hi Diane and welcome to BleepingComputer!We will do our very best... First if you have Symantec and McAfee loaded on your computer, you should remove one. The two programs will conflict with each other and cause problems. Use only one resident anti-virus program. Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a mess... Read more

Here's my post from the "Am I Infected" Forum: http://www.bleepingcomputer.com/forums/t/188071/patched-user32zser32tmp-problem/. That post includes all the steps I've taken, prior to coming here and since I first posted. Summary: Initially, I noticed issues with my laptop early last week after restarting, I was writing an email when Outlook closed on it's own while I was in middle of typing. After restarting Outlook it happened again. Since then I've run various virus scans, including McAfee and Symantec, as well as Spybot and several others (see my other post for logs). My laptop started having other various issues like my wireless internet wouldn't work, Google Chrome stopped working - it would open but I couldn't load pages, my computer slowed down a lot, especially at start up (it took about 15 minutes or so to start up!). Now after running all these scans I can connect wirelessly again, my computer isn't as slow anymore (though my internet is pretty slow tonight), and Google Chrome is working again. I tried to run Kapersky but I got an error message that I needed to be connected to the internet. I'm going to try a wired connection and see if that helps in case it's my wireless connection causing trouble. And after I'm done with that I will run a RSIT scan. Thanks in advance for your help! I will post logs as soon as they are available.

I hope that this is in the right section but I am having a problem with my computer. I can constantly hear programs running in the background. I currently have two anti spyware/malware installed on my computer. One is SpyHunter and the other is CyberDefender. They both are picking up on some virus called Vundo and everytime I delete it, it just comes right back. It is so frustrating surfing the internet because it freezes or moves extra slowly. Figured I'd ask you guys before I take a hammer to it lol.

Hello,i am moving yjis to the Am I Infected forum from XP.Please disable those apps while we do this.Next run MBAM (MalwareBytes):NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the St... Read more

Hello I've been battling with this fake AV for a while now and I just discovered that Windows Firewall is putting out this error code when I try to restore it, 0x80070424. I am using AVG 2012 as a anti-virus program and running Windows 7 Home Premium SP1 64-bit. If anyone can help me with this I would be forever grateful.

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434544 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Hello,
I have a problem ,which ive tried to fix serveral times but it keeps coming back.
This virus is located in Systems 32 folder, Pc Cilling 2005 identified it as TROJ_ROOTKIN.N . Ive gone
to safe mode, deleted it, returned to windows and the virus reapeared, wats more it clogs up Pc Cillin, so now under quarantine i have 100+ instances of this virus, and its increasing.
The virus is labelled hpr34k8

It all started last week when my computer contracted Trojan.Nebuler. My copy of Norton could'nt get rid of it so I downloaded various so called fixes. In the end I had to manually delete the trojan following the instructions on symantics web site - but that was when the fun really began. All sorts of pop up software has been appearing e.g. SysProtect, Drivecleaner and adult sites. Plus the computer has slowed down to a crawl. I have scanned my machine using Norton and AVG and Trend Housecall. And although they find new viruses, and remove them, they keep on coming back. I also downloaded and installed a Registry cleaner - to see if this would speed the thing up a bit, hope i havent deleted anything important (although it says I can recover the lines I have deleted). Can anyone help - here is the hjt log.

I am using a 64 bit version of windows vista. I have a virus on my computer that keeps coming back. Usually I am able to remove viruses on my computer using a combination or rkill, malwarebytes, and super anti spyware, but this specific virus keeps coming back, even after I clear it with malwarebytes. Also the virus wont let me update my malwarebytes software. I have tried to do a sytem restore, but everytime I click on the icon, i am asked to select a program to open system restore with, and I am not sure which program to pick. On my desktop there is a suspicious icon named system restore. Any help would be greatly appreciated.Thanks

Answer:Virus keeps coming back

Please follow the instructions in ==>This Guide<== starting at Step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues, what you have done to resolve them, and a link to this topic.If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.It would be helpful if you post a note here once you have completed the steps in the guide and have started your topic in malware removal. Good luck and be patient.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

There's a virus named wlzxha.exe in C:\WINDOWS\system32\ that keeps coming back after I delete it. The virus is "Downloader" according to Norton. It deletes fine (I've done it in safe mode) but it seems to come back after each restart.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please download aswMBR.exe to your desktop. Double-click aswMBR.exe to run it.Click the Scan button to start scan.Wait until it says, 'Scan finished successfully'. ( Note - do not select any Fix at this time)Click Save log, and save it to your desktop.Click Exit.Please post the contents of that log, aswMBR.txt, in your next reply.There shall also be a file on your desktop named MBR.dat. Right-click that file and select Send To > Compressed (zipped) folder. Please attach that zipped file in your next reply.

------------------------------------------------------

When you run this tool, remember to choose 'Skip' not 'Cure' if it finds something. We just want a scan, not a fix.

Hello ziggyzig Welcome to the BC HijackThis Log and Analysis forum. I apologize for the delay however we are all volunteers and it gets very busy around here. I will be assisting you from here on out.I ask that you refrain from running tools other than those we suggest to you while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.Please perform the following:Please do an online scan with Kaspersky WebScannerClick on Kaspersky Online ScannerYou will be prompted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXTNow click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)Scan Options:Scan ArchivesScan Mail BasesClick OKNow under select a target to scan:Select My Com... Read more

For the fourth time in the past few months, I have been experiencing strange pop-ups blocking my use of various programs. Twice, my IT dept. attempted removal of the virus, which looks like a virus warning from McAfee but will not allow removal or the use of the programs it is blocking. This time around it was blocking my use of Internet Explorer and Outlook.

A screen popped up and each time I tried to open the programs it would log a warning in the screen. The screen showed options for removing the items logged, however it would not respond to clicking any of the options and would only go away if I closed it out completely. If I did close it, as soon as I attempted to open those programs again, the warning would reappear. This is nearly identical to the last two or three times I have experienced this, with a couple weeks in between occurences.

I rebooted several times and recieved a pop-up message from Windows saying "Windows has recovered from a serious error." The third time I rebooted, it actually allowed me to open these programs without the warning. The first two times it would not go away. This has happened a couple of times prior, where that message seemed to temporarily fix my issue.

Is this a real virus that is hidden in my computer? What can I do to remove it completely?

Answer:Virus that keeps coming back

Hello can you run an MBAm scan and post a log back .. Let's see what it may show.Next run MBAM (MalwareBytes):Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top... Read more

I'm not sure whether it's a virus, trojan, spyware etc but I have something running on processes which takes up around 180k memory. Everytime I close the process it re-appears but as a different name... For example, as of now the process is called 'xsggsz.exe' but now I've closed it and it's re-appeared as 'vzdfme.exe'

I've used spysweeper, McAfee, Ad-Aware and system mechanic to try and get rid of it but it just won't budge.

I'd appreciate any help regarding this.

Thanks!

Answer:Virus That Keeps Coming Back!

go to http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm and click on

scan your pcClick to expand...

Panda has the most upto date scanner I've seen

also if you do not have a firewall - you really need one.
I've used the free version of zonealarm for a number of years, and never had a problem, except a couple of times when I turned it off to access a site (that was real dumb)

Hello, ago 2-3 weeks I got some viruses, i tried to delete them but they come back everytime..The viruses are in 3 drivers (D,E,C) and also i got another virus named Backdoor.AgentBy the way I use Windows XPCan somebody help me?

Hi,Norton found the virus called Back door greybird.k on C:\windows\G_server_hook.dll.I logged on to the safe mode and deleted the G server. exe and dll file.But Norton keeps finding this virus. How can I clean the virus?Thanks very much. (Moderator edit: moved post to more appropriate forum. jgweed)

Answer:Virus coming back again and again

Symantec Security ResponseI'd recommend submitting a hijackthis log here.How to submit a hijackthis logDownload HijackthisTry running the following from safe mode (Getting to safe-mode) Sysclean you'll also need the virus template file from here lpt***.ziporDrWeb CureITIf your good with the command line also try Sophos Command Line scannerAlso try installing and running A2 Free and EwidoI'd also run Spybot and AdawareIf your using Win2K/XP run adaware/spybot from "safe mode with command prompt"At the C:\ prompt type the following:-cd\C:\progra~1\spybot~1\spybotsd.exe /autocheck /autofixcd\C:\progra~1\lavasoft\ad-awa~1\ad-aware.exe

Hi - I recently got infected with a virus that added options to my toolbar (Fresh Search) which I managed to fix thanks to the help I saw posted here, but I still keep getting pop-ups and infections - SearchToolbar, Spyware.Msnagent and DownLoader.Trojan being the most recent. None of the anti-spyware, pop-up blockers or anti virus programs I have can stop the reinfections.

I have gone into safe made, used CWShredder, CClean, Kill2Me, HSRemove and Stinger. Also RAVAntivirus online scan, Bitdefender online scan, AdAware SEplus and Norton Antivrus. I used Silent Runners and found some suspect entries, which I edited out of the registry using Registrar Lite, and I used Hijack This to find and fix some other suspicious entries.

But they all keep coming back, in one form or another. Not crippling like before, but really annoying!

Below is a recent Silent Runners report, followed by a HiJack This report:

Hopefully I've included enough information and made this topic correctly...

Basically I had an issue where my microphone would mute itself, figured it was a virus, and ran malwarebytes. It found stuff, removed it, and everything worked fine... for about a few hours. A few hours later the same thing occurred, ran malwarebytes again and found the same thing: "dnsl64.exe" detected, along with other things that it appears to be downloading. No matter how many times I remove it it seems to come back, and googling dnsl64.exe popped up no results that I could find and then each scan (after a few hours) pops up a bunch of junk, even if I leave the computer idle. It also downloaded something that appeared to change my browser homepage to "search.snapdo.c*m" if that helps diagnose anything.

I've attached the MWB and FRST logs, hopefully they help diagnose what the problem is! Thank you in advance for any help, would really appreciate getting rid of this nasty thing.

I have a Toshiba laptop that back in March I had a virus and went to to a local PC store and had the virus removed. A few months later the virus came back and I had a friend remove that virus and all was well for about a week when the virus came back once again and was removed and seems to be removed right now. I am afraid this is going to happen again and want to know if you can check the HiJack This log here to tell me if there is something seen that I am not able to identify as a virus. I did use the self help scan tool but I dont really know what I am looking at. The scan is here http://www.computerhope.com/cgi-bin/process.pl?o=20192628.I run McAffee AV on this laptop along with MalWareBytes and MS Windows Defender. I did updates and scans to each one of them 2 nights ago both in normal mode and in safe mode and none of them are returning any bad files, however, I am reluctant as this has happened three times now. I am wondering if there is a hidden rootkit file that the softwares are not picking.I run the following system:OS Name Microsoft? Windows Vista? Home PremiumVersion 6.0.6002 Service Pack 2 Build 6002Other OS Description Not AvailableOS Manufacturer Microsoft CorporationSystem Name CHARLENE-PCSystem Manufacturer TOSHIBASystem Model Satellite A305System Type X86-based PCProcessor &nb... Read more

Answer:Virus Keeps Coming Back

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer. 1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.2. The fixes are specific to your problem and should only be used for this issue on this machine.3. If you don't know or understand something, please don't hesitate to ask.4. Please DO NOT run any other tools or scans while I am helping you.5. It is important that you reply to this thread. Do not start a new topic.6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.7. Absence of symptoms does not mean that everything is clear.If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line. *************************************************************************SUPERAntiSpywareIf you already have SUPERAntiSpyware be sure to check for updates before scanning!Download SuperAntispywa... Read more

I really need help. Whenever I scan with avast, it tells me there's a virus. I can't delete because it's being used by another program. So I got into safe mode and try to remove it. A while later after I deleted it and back into Windows, I scan again and it's back. It's always in the same place too:

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Now please Download LSPFix from:LSP-FixDisconnect from the Internet and close all Internet Explorer Windows. Run the program and check the "I know what I'm doing" Button and place all listings of c:\windows\system32\aklsp.dll and c:\windows\system32\dolsp.dll into the remove section by clicking on the button that points to the right. When all instances of this dll are in the Remove section. Press the finish button.Then Reboot.To see a tutorial on how to use this program click the link below:Using LSP-Fix to remove LSP Spyware & HijackersPrint out these instructions and then close all windows including Internet Explorer.Then I want you to fix some of those entries. Please do the following:Please make sure that you can view all hidden files. Instructions on how to do this can be found here:How to see hidden files in WindowsRun Hijackthis again, click scan, and Put a checkmark next to each of these. Then click the Fix button:R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/...//www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tagteamgirls.comR1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blankR0 - HKCU\Software\Microsoft\Internet Explo... Read more

So my computer got a virus from a game that I tried downloading. Avast! did a boot scan and got rid of it, but a day or two later, I got messages from Chrome that said I had a virus again, but of course those are usually scams. I did another scan, just to be safe, and Avast! found two items, got rid of them, and ran another boot scan, just to be safe.

Next day, I figured it had to be from Chrome because of the fact that I attempted to download the game from Chrome and was getting odd popups and such but IE wasn't doing that. So I deleted it. My friend suggested downloading Malwarebytes so I did that as well. It found two more Trojans and so did Avast! after a full system scan. Got rid of those as well and found they were gone afterwards.

I can't tell if my computer is infected again but earlier Malwarebytes apparently blocked a couple malicious websites, and since Avast! usually did that when the virus would come back, I ran another scan and found one thing, a YouTubeAdBlocker, I don't know if I wanted to get rid of that because an AdBlocker sounds like something I would want to keep and I heard that sometimes, Malwarebytes finds things that aren't really dangerous, but idk I am not an expert. I tried not to worry about it after that but I just want to be safe.

I am running two full system scans as we speak with Malwarebytes and Avast! to see if they will find anything that way since quick scans didn't find anything (except the AdBlocker again) and... Read more

Answer:Virus that keeps coming back?

Hi,In order to help you, we need reports generated on your system. Please follow this topic and attach requested reports: http://malwaretips.com/threads/malware-removal-assistance-how-to-get-help.20334/

Combofix just restarts my computer and won't run and nothing can find the virus but it's there. It started as a fake antivirus, then when I deleted it it created win 7 antivirus 2011. I think I got rid of that one too, but now everytime I click any link it takes me to some random add page instead. I've already did a system restore from days ago and even that didn't work, but it stopped my problem with running .exe's from the win antivirus.

Answer:Virus just keeps coming back!

Hello having run ComboFix we need to see that and a DDS log.As you now see Combofix is not to be run like a commmon tool. It's why we post this above the malware forums.ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9 which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.Skip the GMER step and instead post the ComboFix log you posted earlier.Let me know if that went well.

Hello, a few weeks ago I had alerts from ThreatFire saying that "c:\2F2FE1D9C8463A4E6C7466B1CF9E03AD\MPSIGSTUB.EXE"was trying to modify another program, copy itself to multiple locations, I clicked ignore to these after looking it up, and finding out that mpsigstub.exe was related to windows malicious software remover. When I tried to look inside the folders, they renamed themselves. I started to panic when I found out that its normally in the system32 folder, so my friend came round to help me delete it and remove the registry changes it had made. I know that was a virus, but I'm not sure about these: Not so long ago a very similar directory had been created again, this time with stub.exe in it. I deleted them, and ran an anti virus scan. C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report09186521\WER11A7.tmp.hdmp and C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report11188777 were infected and quarantined . stub.exe was also trying to modify other programs etc. Just today I found two more directories with similar names, such as 70d953ce1268e4d3b8, with eventlog.txt in them. I haven't got any warnings as far as I know, so I want to know if this is the same virus, or even if its actually a virus at all, and I'm just being paranoid. Thanks in advance PS. I also had a process called conime.exe, I looked it up, and its to do with using an Asian language. Apparently, if this is running while you aren't using an Asian language... Read more

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the ... Read more

I am looking for some help. I am running Windows 7 and IE8 and have started to get constant redirects. Malware found two viruses Rootkit.0Access and Trojan.Dropper.ED. Malware now shows no problems but the redirects keep comin back. At least I can still use the the computer for now. Any help is certainly appreciated.

Bryan

Answer:Redirect virus keeps coming back

Hello Bryan I would like to welcome you to the Malware Removal section of the forum.Around here they call me Gringo and I will be glad to help you with your malware problems.Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!Please do not run any tools unless instructed to do so.We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", t... Read more

Working on a friends computer that had some viruses. I ran malwarebytes and that cleaned out about 15 problems. Gave her back her computer and the next day she had the same problem. Not sure what is going on but when the virus kicks in, it also changes the proxy setting so that she cant use the internet. Any ideas?

Thank you.

Answer:Virus problem keeps coming back---help

Some infections will alter the Proxy settings in Internet Explorer which can affect your ability to browse, update or download tools required for disinfection. Check/reset the Proxy Settings as follows:Press the WINKEY + R keys on your keyboard or go to > Run..., and in the Open dialog box, type: inetcpl.cplClick OK or press Enter.Click the LAN Settings... button and uncheck Use a proxy server for your LAN or change the settings to the proxy you normally use if you previously reconfigured it.Remove any unknown addresses from the Address box. 80 is the default Port so it does not have to be changed.Click Ok and then click Ok again.Close Internet Explorer and restart the computer.If using Firefox do this:Open Firefox, click Tools > Options > Advanced and click the Network Tab.Under the Connection section click on the Settings... button.Under Configure Proxies to Access the Internet, check No proxy. This is the default option if you don't use a proxy.Click Ok and then click OK again.Close Firefox and restart the computer.For other browsers, please refer to How to configure browser proxy settings.Please download the TDSS Rootkit Removing Tool (TDSSKiller.zip) and save it to your Desktop. <-Important!!!Be sure to print out and follow all instructions for performing a scan or refer to these instructions with screenshots.Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itsel... Read more

hi, i use windows xp and i recently encountered a virus. my antivirus software, avast!, called it Win32:Trojano-207 [Trj]. i tried to delete it but a few seconds later the warning message for the same virus popped back up. i tried to do a startup scan but that also didnt work. i used adaware and also spybot but nothing worked. can someone please help me here! thanks in advance!

Hi I had my securtiy program AVG pickup a vundo trojan 2 days ago. I used combo fix to try an eliminate the problem and it deleted about 12 files and the computer is back at normal speed for now.When my AVG software ran again today it pickup 2 new threats. One .sys file, and one .dll file:Win32/cryptorGeneric10.allgThey are showing up as _restore enteries. Did I not have the virus completely removed and it is trying to reproduce itself?Thanks,Here is my hijack this log. How do things look?Logfile of Trend Micro HijackThis v2.0.2Scan saved at 03:29, on 2009-01-22Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\LEXBCES.EXEC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\svchost.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\WINDOWS\Explorer.EXEC:\Program Files\CyberLink\PowerDVD\DVDLauncher.exeC:\Program Files\Common Files\... Read more

Answer:Vundo virus coming back?

The problem is that the infection is in your system restore files. Its not trying to get back in, but if you have to use system restore it would be. Here is how to get rid of that,Disable and Enable System Restore. If you are using Windows Vista or XP, then I recommend you turn off System restore, and then turn it back on so that you will not be able to restore your problems to a clean computer.Here are some good tutorials for that. Windows XP System Restore Guide Reboot Re-enable system restore with instructions from tutorial aboveCreate a System Restore PointGo to all programs, then to accessories, then to system tools, then to system restore. Check the box for create restore point (not select a restore point), then click next and follow the instructions.After you do that, do a complete scan with your tools that you have and see what they say. If they show anything other than tracking cookies, post up the logs.

Hello,I seem to have gotten some viruses-worms,trojans that I can't seem to get rid of. My internet pages started to redirect, mainly to various advertising sites and of course adult sites and fake virus scanners. I scanned with Microsoft security essentials and got rid of everything but it kept on happening so I got Malwarebytes and scanned again. It cames up I had win32.autorun.tmp so I got rid of it restarted and scanned again but it was there again. I tryed again but this time the scan was almost done and I got the BSOD which happens everytime now. I then tried Spybot S&D and it scans fully but can't get rid of all infections because some of the files are in use. My computer wont boot in safe mode. I have no idea how to fix this Please help.

Answer:Virus/ worm keeps coming back

I'm not trying to bump my post I promise but I just realised that I left out some crucial information in my original post. When I start up my computer Spyhunter pops up to say that my Hosts file has been changed and that I should restore it, which is what I do. Should I be doing that? Also whenever I run a virus scan I disable the other anti-virus progams that are installed to stop anything conflicting. I can't update windows, I get an error that says "Windows could not search for new updates an error occurred while checking for new updates for your computer. code 80072EFE" I hope this extra information helps. Merry Christmas everyone.

I use Avast 4.8 to check my system and try first a "move to virus chest" when I was notified I had a virus. When I "move the virus to the chest" it just keeps coming back as a new virus almost immediately wit the virus warning. Then I tried the "repair" option in Avast, but it always said an error has occured... File name was: C:\System Volume Information\ _restore{7F7BE6F8-0D6A-488B-ABD ... Note Malware name: Win32: Trojan-gen(other)... I ran HijackThis and here is the log....

Please walk me through as I'm a novice on this computer stuff,,, thanks in advance...

Hi, I got a virus that keeps coming back in my Temp folder, "WindowsUpdateKB12695__7428_il31477.exe" , "tmp4191.tmp.exe" , "tmp9E32.tmp.exe" it appears once a day and I can remove it by running malawarebytes, but it keeps coming back after a few hours. It tries to install a program as soon as it appears in my Temp folderI have a feeling I might be infected with a Rootkit... I tried running Malawarebytes anti-malaware, malawarebytes anti-rootkit, tdsskiller and combofix with no luck, it still comes back every few hours or everyday.I think this virus appeared when I got some new drivers for my AMD graphics card, but I am not certain... I cannot do a system restore because I didnt have any restore points before I downloaded the drivers... ... .I would like to know if one of you more experienced user could help me with my issue. Thx in advance!Edit: Moved topic from Windows 7 to the more appropriate forum, due to member having already run ComboFix. ~ Animal

Answer:Virus keeps coming back in Temp

I found an "$RECYCLE.BIN" in my second harddrive, I think Im infected with Zero Access, but its on another internal harddrive which is not the one my operating system is on, I feel like all the scanners are only scanning my main harddrive where my operating system is located, so they cant find the virus!​ How do you delete a Zero acces rootkit in a second internal hard drive?

i've alreadys started discussing this in a different thread, but due to new and disturbing occurences, i felt the need to start a whole separate thread on the matter, i hope that's ok.

ok, as a background: i did a Panda virus scan yesterday and it found VBS/TheThing in my pc. it was located in the Temporary Internet Files folder. Panda got rid of it. so, fine.

Today, i decided to do another virus scan just to be thorough, so i run the Panda scanner again. and again it found VBS/TheThing !!! location: Temporary internet files\content.IE5 folder. don't know how i could've been exposed to it, since the last scan i haven't been to any sites other than here at TSG and Norton, nor have i done any downloading of anything that could be suspect whatsoever. i don't know how i got it again!! and this is what disturbs me further, Panda didn't get rid of it this time; i checked the scan report, and the action taken just said "infected". not deleted or renamed, just 'infected' (last scan Panda "renamed" it). why could this be??

since it was found in the Temp internet files folder, naturally i deleted everything in it. but what i'm wondering is why it keeps coming back?

I have an amazingly annoying problem which keeps coming back (even after windows format), I keep getting errors which wont allow me to start,open,delete,install files. Just messes up the whole system.The errors are:When I want to install program - Nothing happens OR Internal Error: Failed to expand shell folder constant "userappdata"When I want to start program - Nothing happens OR mpr.dll is missing OR netutils.dll is missingIf I want to delete a program - "An error occurred while trying to uninstall program. It may have already been uninstalled"Startup programs won't start - netutils.dll is missing OR mpr.dll is missing

I did a fresh install on my SSD, everything was working great but after couple of days it came back.What's going on here?

Answer:Virus/Trojan keeps coming back?

Sounds like a bad installation. Where did you get your Windows 7 installation media from?

I've ran malwarebytes,SuperAntiSpyware, and Sophos is running now. The Virus won't come off and when I run a scan in safe mode it says it's gone but in regular it says it's there. The virus redirects every link I click on in google go to some other ad. Please help. I'll update if Sophos removes it.

Oh By the way Malwarebytes saysTrojan.dropper.bcminerRootkit.0AccessRootkit.0Access

Edit: Ran Sophos...did nothing...

Answer:Horrible Virus, Keeps coming back.

Please do not run any tools unless instructedDownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

Answer:need help been using my virus software but they keep coming back

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Somebody please help! I've tried everything I know of...The other day while my little sister was researching something for a project on our home computer, she clicked on a link and a window popped up saying, "Congratualtions.! Your our winner for today blah blah blah". =( When I saw it, I knew it was a virus attempt because I came across this once before when my brother was caught looking at porn smhAnyways, I ran three different Virus Scanners, Mcafee, Threatfire and AVG, and all three said there was no infected file on my computer. Yet, every twenty (20) minutes, Threatfire virus alert would pop up with the location and name of the infected file. Each time, I selected 'Kill and Quarentine', and each time, the application disappears only to reappear later in the next twenty (20) minute time frame. Oh, and whenever anyone tries to use a search engine, youtube or any website where you have to enter data into a search field, a separate window pops up like ex: randomtext.jempca.randomtext. And it always redirects to some kind of online 'shop', 'search engine' or another 'Congralations.!' message pops up.I went online to research what I could about manually removing a virus using the computers CMD. I tried it a few times to get rid of the folder the viruses would constantly pop up in, but the virus would still pop up. The location is always C:/Windows/Temp/ which I found wierd because I thought most viruses would pop up... Read more

Answer:Infected? Virus keeps coming back.!

This time when it Threatfire alerted me, i located the Temp folder and there was five (5) different hki****.exe files!

Unfortunately I keep getting my isp suspended due to trojans, initially it was something different but now they are telling me it's Torpig. I thought I had removed a few trojans, and they seem still gone on repeated scans with programs such as Panda, Malbytes and SuperAntispyware but again on April 9th my account got suspended. Here's my Hijack This log, can someone please talk me through what might be the issues and how to remove them? It would be much appreciated.Hijack This log(updated after removing some things):Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Panda Security\Panda Internet Security 2009\TPSrv.exeC:\PROGRAM FILES\PANDA SECURITY\PANDA INTERNET SECURITY 2009\WebProxy.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\PROGRA~1\AVG\AVG8\avgwdsvc.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exeC:\Program Files\Option\GlobeTrotter Connect\GtDetectSc.exeC:\WINDOWS\system32\svchos... Read more

my pc was infected several days ago, i have eliminated it but, once in awhile it comes back. i dont know what else to do. please help. maybe im just paranoid but my pc runs slower than usual. specially the explorer. i have pasted a hjt log, just in case you need it.any advise is very much appreciated.thanksLogfile of Trend Micro HijackThis v2.0.0 (BETA)Scan saved at 2:36:19 AM, on 10/24/2008Platform: Windows XP SP3 (WinNT 5.01.2600)Boot mode: Normal

I have installed malware software, even there is a QUICK HEAL ANTI SOFTWARE installed in my computer. System got stuck and applications are running slowly due to virus problem, I want to remove virus and wants to improve system performance. I want to know how to fragment(don't know) the system or reboot.

Answer:How to remove a virus that keeps coming back?

Hello and Welcome.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:

The computer is running Xp service pack 2.When I first tried to fix a popup problem with symantec, the user (my daughter) couldn't log on anymore.Safemode would begin to load and then rebooted.

I fixed several registry entries using knoppix under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit andHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shelland copied over a copy of userinit.exe, and ntldr from another Xp installation.

Now the user can logon, but the web pages are redirected to advertisements for removal tools and other things.A file called str.sys was removed by several malware and antivirus programs and kept coming back.

I still can't boot into safemode. I see a list of drivers loading and then the computer reboots. I would be grateful for any help, thanks.

Hi jobarb,Welcome to BC HijackThis forum. I am farbar. I am going to assist you with your problem.Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.I see you have Combofix. Please post the log(s) it has produced. If you have run it more than once Please attach all of them.The latest log is located at: c:\Combofix.txtThe earlier logs are located at C:\Qoobox\combofixX.txt where X is a number.

Hey guys I have scanned with Malwarebytes, Superanti Spyware, and Hitman they all have said none except Malwarebytes and I know its right because my computer will randomly shut off some times.

Answer:Virus. keeps coming back.Winsvcs.exe

Hello please post that MBAM log.The log is automatically saved and can be viewed by clicking the Logs tab.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.Is it Winsvcs.exe or winsvc.exePlease Download TDSSkiller Launch it. Click on change parameters-Select TDLFS file system Click on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan results.>>>>ADW CleanerPlease download AdwCleaner by Xplode onto your desktop.Close all open programs and internet browsers.Double click on adwcleaner.exe to run the tool.Click on Delete.Confirm each time with Ok.You will be prompted to restart your computer. A text file will open after the restart.Please post the contents of that logfile with your next reply.You can find the logfile at C:\AdwCleaner[S1].txt as well.>>>>>>ESET ONLINEI'd like us to scan your machine with ESET OnlineScanHold down Control and click on this link to open ESET OnlineScan in a new window.Click the button.For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.Double click on the icon on your desktop.Check "YES, I accept the Terms of Use."Click the Start button.Accept any security warnings fr... Read more

Hi,I am no novice to removing malware, but every once in a while I am completely at a loss, and I have three infected client PCs right now that have me beat. I will post them in seperate threads.This one starts itself in WinLogon, and I can start from a CD to access the hard drive and delete the file in questions (which is set to hidden and read-only and system), but when I restart another file has taken the place of the first one.The WinLogon registry entries change, too. I have come across these so far:Web Check (maybe without space)Controls FolderReliabilityShell ExtensionsShellScrap (no space) - I gave up after this one, and the file name is ppdrv.dll. ShellScap appears to be the name of another virus which doesn't fit the symptoms here, though.Internet on that PC is broken.I used HiJackThis to weed out everything else.On most PCs I can use Process Explorer (Sysinternals) to go into WinLogon and kill the bad process, but on this PC (and some others) I don't get a file name for the process in the Thread tab, but only a memory address, so I have no way of knowing which one to kill.But even if I could kill it and remove the file, something else must still be started with Windows that restores a new WinLogon entry with a new file.I will go back to that person on Monday, but I will only have this one day left to fix it, so I need all the info I can get before I go there.Here is the original HJT log that I made before I made any changes. The PC was started in Safe Mode CMD Prom... Read more

Answer:Virus Keeps Coming Back - Winsync Qoologic

This is number 3 that I encountered today. I have had this one before on a client's PC ages ago, but can't remember how I got rid of it.

The main thing to identify it is that it starts salm.exe, but the file doesn't show up either in Explorer or CMD or even when started from a CD that has NTFS access.

I tried the Symantec tool for 180Search (I think), but had to leave the client right after that (no idea if it worked). I will go back on Monday and would like to be ready for it.

I know how to use HJT, Process Explorer, KillBox etc. and Regedit, and I'd rather get rid of something manually or at least know how it's done in case an automatic removal program doesn't do the trick.

I tried removing the files while starting from a CD, but the files don't seem to exist, even though they show in HJT as being started and NOT as file missing. I am fluent in CMD prompt and know how to search for hidden files, but with no success here.

Where could these guys be hiding so I can't find them?How can I find the files?Are there other Registry entries that HJT doesn't detect that allow files to be started?

Basically I follow the method where i restore my PC and then scan my computer with both Malwarebytes and HitmanPro. They both always detect a ton of objects that i delete immediately but a day or two later the virus always comes back.

What i THINK is happening, is i've used a restore point that was set by the virus (I had no others) and so the file remains on my PC maybe in my registry? I've tried everything i know and this is really fustrating me any help would be appreciated.

Another thing i observed (and maybe it means nothing) is that when the virus was about to come into affect my avira detected it in my recycle bin. My recycle bin was empty so does that mean it's being restored from deletion or something?

Answer:Ukash Virus Scam keeps coming back

Hi and welcome to the MalwareTips.com forums!

I'm Kuttus and I am going to try to assist you with your problem. Please take note of the below:

I will start working on your malware issues, this may or may not, solve other issues you have with your machine.The fixes are specific to your problem and should only be used for this issue on this machine!The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.If you don't know, stop and ask! Don't keep going on.Please reply to this thread. Do not start a new topic.Refrain from running self fixes as this will hinder the malware removal process.It may prove beneficial if you print of the following instructions or save them to notepad as I post them.Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.Before we start:Please be aware that removing malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to nece... Read more

I have a virus embedded in a file: system32\userinit.exe. I have cleaned and cleaned and it keeps coming back every time I log back on the computer. I want to delete that file and get a new userinit.exe. I tried to do a System File Check to fix it, but I don't have the windows CD that needs to be put in to do that. Is there anything I can download from anywhere to get a new file? Anyone have any ideas?

Answer:system32\userinit.exe virus keeps coming back

You can follow this procedure and then I can review your logs and do my best to solve your issues:

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Pleases follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide

and attach the requested logs when you finish these instructions.

**** If something does not run, write down the info to explain to us later but keep on going. ****Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!Helpful Notes:

If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:

Starting your computer in Safe mode

If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware and Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable ... Read more

I got infected with the Funshopper virus/malware, but I can't seem to get rid of it. I tried following some manual removal tutorials online, but the instructions weren't clear about how to delete hidden files or mess with registry stuff. So it didn't work. I also downloaded Spyhunter, but that didn't work either because the scan keep hanging/freezing, so I just uninstalled it.

They call me TwinHeadedEagle around here, and I'll be working with you.

Before we start please read and note the following:

At the top of your post, please click on the "Watch thread" button and make sure to check Watch this thread...and receive email notifications. This will send an email to you as soon as I reply to your topic, allowing me to solve your problem faster.Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process. Please do not perform System Restore or any other restore.Instructions I give to you are very simple and made for complete beginner to follow. That's why you need to read through my instructions carefully and completely before executing them.Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.

All tools we use here are completely clean and do not contain any malware. If your antivirus detects them as malicious, please disable your antivirus and then continue.If during the process you run across anything that is not in my instructions, please stop and ask. If any tool is running too much time (few hours), please stop and inform me.I visit forum several times at day, making sure to respond to everyon... Read more

I ended up with some spyware and virus of some sort and got this SafetyBar program and a few others. I've managed to clean up that aspect of it but i get pop-up ads and spyware and viruses continue to show up when i do scans from time to time. Also when I use my IE7 now, if i open up a new tab, it closes itself.PS:I had the virusbusters thing (I believe that is what it was called). I followed the tutorial and still have leftovers.Logfile of HijackThis v1.99.1Scan saved at 11:10:50 AM, on 12/2/2006Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.5730.0011)Running processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Common Files\Symantec Shared\ccSetMgr.exeC:\WINDOWS\system32\Ati2evxx.exeC:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exeC:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exeC:\Program Files\Symantec\Norton Ghost 2003 ... Read more

Answer:Infected With Virus/spyware - Keeps Coming Back

Hello there and welcome to Bleeping Computer's security forum.My name is David, I will be helping you with your log today.It is a good idea to print off these instructions:This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available. You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above. A print out of the instructions would be a good reference to make sure you don't yet lost.Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!If you have any queries about the process or just general questions, just ask.Step #1I do not recommend that you have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to create "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause false alarms - When the anti virus software tells you that your PC has a virus when it actually doesn't. Also it can cause system performance problems; your system may lock up due to both softwar... Read more

I got this consumer input virus about a week ago.. I've done a malware scan with malwarebytes and it quarantined it about 3 times.. and each time it keeps coming back.. The virus itself just has a bunch of annoying popups and just keeps changing my chrome settings. Operating System is Windows 8.1 64 bit.. Can someone help?

Answer:Consumer Input virus keeps coming back

Welcome to BC !The programs below have a good track record of finding and removing most adware and a lot of malware.Malwarebytes' log of what it removed can be found under the history tab. Please post the results of the scan that you refer to. Also check MBAM's settings and be sure that scans for PUPS and Rootkits are enabled. If they weren't, run a new scan with those enabled.

Use CCleaner to remove Temporary files, program caches, cookies, logs, etc. Use the Default settings. No need to use theRegistry Cleaning Tool...risky. Pay close attention while installing and UNcheck offers of toolbars....especially Google.After install, open CCleaner and run by clicking on the Run Cleaner button in the bottom right corner.CCleaner - PC Optimization and Cleaning - Free Downloaddownload AdwCleaner by Xplode and save to your Desktop.Double-click on AdwCleaner.exe to run the tool.Vista/Windows 7/8 users right-click and select Run As Administrator.Click on the Scan button.AdwCleaner will begin...be patient as the scan may take some time to complete.After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.After reviewing the log, click on the Clean button.Press OK when asked to close all programs and follow the onscreen prompts.Press OK again to allow AdwCleaner to restart the computer and complete the removal process.After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.Cop... Read more

Hello I am new to your forum, computers and the internet so please bear with me

Here is my problem, the other day while I was on msn messenger live I had clicked on to a link that was actually some sort of trojan/virus that was hidden in a file.

My Msn box started to dance all around my screen, and to my suprise, this trojan/virus started to send out the same file to others that where my contacts and had there Msn Live messenger box on at the same time I had, posing it self off as me sending it

Next I did a full scan with my Norton IS 2007 and it picked something up called serviser.exe & [email protected] being as a virus, then it proceeded to clean it out of my system

I then used my Spysweeper and it came up stating I was Infected with W32/IRCBot-xx, I Quarantine such, cleaned out my Quarantine and then proceeded to do more scans how ever after each additional Spysweeper scan was done, this W32/IRCBot-xx would show back up again

Now there after seeing that, I was more then a little upset, so I made a few phone call's to my Grandsons friends, whom are more knowledgeable with computers than I am, they all suggested to me that I should do such scans in safe mode so I did

That did not help either because this darn W32/IRCBot-xx keps coming back and showing up In my Spysweeper

I would like to know if some one here can give a Old Man a tad of a little guidance please with regard to my problem

I have done many scans and cleaning with Norton IS 2007, Spy Swee... Read more

Hey guys I got a virus that haunts me, I think it is sality going by results from mbam.I started a topic in the virus section but got redirected here, link below to prev topichttp://www.bleepingcomputer.com/forums/t/528024/sality-is-making-me-violent/Also if possible I will need advice for Xp, vista as this thing has infected many systems :/Thanks in advance

Answer:Virus keeps coming back after formatting and reinstalling

You have previously been told...several times...that you need to format and do a clean install due to the nature of your system infections.

What is there that you cannot do...on any system, for any version of Windows?

Avira first alerted me to this problem on 11/23. I had been getting loud annoying pop-up ads when I was browsing youtube, and then saw Avira found EXP/JS.Expack.AZ, EXP/Pidief.dme, and TR/Alureon.A.78. I googled it and found your website and followed the instructions and MBR check said nothing was found so I thought I had gotten rid of it. Avira did scans from 11/23 through 12/4 and no viruses/unwanted programs were found even though I was still having some intermittent problems with annoying pop up ads. Then on 12/5, I got a new Avira warning saying it found two unwanted programs, including TR/Alureon.A.74 and TR/Alureon AYQ Trojan. So I don't know if I got rid of it and it came back, or if it never went away, but I am ready to cry Uncle and humbly request for help! I really don't know how I have gotten this because all I do is browse the internet. Thank you so much for your help. It is greatly appreciated.

Hello merri23, Welcome to Bleeping Computer. My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix: Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. If you do not understand any step(s) provided, please do not hesitate to ask before continuing. Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post. I will be analyzing your log. I will get back to you with instructions.Do you have a USB Flash Drive you can use?

Hi.I'm new here, but i hope somebody can help me.I got a trojan virus called "Trojan.Agent.Gen" or "Trojan.Agent.cn" by malwarebytes antimalware.It creates a file called svchost.exe in appdata\local\temp directory and everytime i stop it with malwarebytes antimalware it comes back again after restarting my computer.I provide some screenshots below, but the malwarebytes antimalware is in Norwegian language, but you can clearly see the Trojan name.PS: I'm using windows 7 home premium.

Answer:Trojan virus keeps coming back after removal

Please do the following:Download the appropriate version for your system of the Farbar Recovery Scan Tool and save it to a flash drive.Plug the flashdrive into the infected PC.Enter System Recovery Options. To enter System Recovery Options from the Advanced Boot Options:Restart the computer.As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.Use the arrow keys to select the Repair your computer menu item.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account and click Next.To enter System Recovery Options by using Windows installation disc:Insert the installation disc.Restart your computer.If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.Click Repair your computer.Choose your language settings, and then click Next.Select the operating system you want to repair, and then click Next.Select your user account an click Next.On the System Recovery Options menu you will get the following options:Startup RepairSystem RestoreWindows Complete PC RestoreWindows Memory Diagnostic ToolCommand Prompt[*]Select Command Prompt[*]In the command window type in notepad and press Enter.[*]The notepad opens. Under File menu select Open.[*]Select "Computer" and find your flash drive letter and close the notepad.[*]In the command window type e:\frst.e... Read more

Hi I was wondering if anyone can help me. I have a Lenovo x120E thinkpad running windows 7. A week back, MSE picked up a trojan threat and I quarantined it in response. Subsequently, about a day or so later, I noticed my desktop had changed and the start menu was the older XP style logo. I thought it was some update from windows and was so focused on my work that I ignored it.

As my computer slowed, I decided to restore to a setting prior to the desktop change, and sure enough, the desktop went back to normal. as I started looking for things that did not belong on my PC, I found the file C:\programdata\pcDR. when i tried deleting it, it immediately pretended to delete but made the changes that caused the desktop to change. I then knew I was infected, redid my system restore. this time rather than delete the file in window, i went to the command prompt to delete the directory. it said could not because I did not have admin rights (it is my PC and I am the only user and administrator). so i had to "takeown", which I did and deleted the file. Upon googling all the details, I found several threads on here of others who have had the same problem and have used just about everyone of the malware programs that have been listed...combofix, antiroot kit, JRT, etc. the problem is the folder keeps coming back each day around 3PM...whether I am using the machine or not. I have gone through the regi... Read more

Answer:PCDR folder with virus keeps coming back

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/533167 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

The problem being as of now is that the viruses wont go away. Every time when a virus would pop up i would always Google it and try to fix it myself. Everything seems fine after finishing all the steps to the guide on how to get rid of said virus but it kept coming back after a day! At first it was the AV Protection 2011 virus and now it's the Win 7 Antivirus 2012. It's exhausting to have to do a scan everyday. Much help would be appreciated.

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 3 1. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the r... Read more

As said in the title, the Windows Xp Security Center virus keeps on coming back. I've gotten rid of the thing 6 times now, and I'm sure it'll come back again unless I find to cause of it. I also noticed that my automatic updates is off, and I can no longer turn it on. It always says that it's unable to change settings. I have no idea what to do. Anytime I get the virus, I just scan and remove it, but it's becoming a real nuisance, and I want to stop getting it now. Any help would be much appreciated.

Answer:Windows Xp Security Virus Keeps Coming Back

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:

Having problems with spyware and pop-ups? First Steps

link at the top of each page.

Please follow our pre-posting process outlined below. Use a USB flash drive to download and transfer the tools to the affected machine, if necessary. You might like to run the Flash_Disinfector.exe on the clean machine and the flash drive first to protect against any possible transfer of infection via USB.

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help - Tech Support Forum

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

I've removed this virus sooo many times now, and it seems to keep coming back. Also, now i have the "generic host processes for win32 services has encountered an error" type thing going on, and I'm not sure if it's a virus, a bad driver, or some other error. I've run the Malwarebytes and Avira scan to remove the virus again, but it'll probably return quite soon. Here are my Malwarebytes logs:

Hello,And welcome to BleepingComputer.com, before we can assist you with your question of: Am I infected? You will need to perform the following tasks and post the logs of each if you can.Malwarebytes Anti-MalwarePlease Update Malwarebytes Anti-Malware and run a FULL SCAN, then post the new log here along with the others.SUPERAntiSpyware:Please download and scan with SUPERAntiSpyware FreeDouble-click SUPERAntiSypware.exe and use the default settings for installation.An icon will be created on your desktop. Double-click that icon to launch the program.If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)In the Main Menu, click the Preferences... button.Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):Close browsers before scanning.Scan for tracking cookies.Terminat... Read more

I keep getting the "[email protected]" virus. McAfee viruscan picks it up and deletes it everytime but it keeps coming back. The McAfee viruscan thing finds about a dozen of them each time. This happens like every other day. Any suggestions would be of great use. Thanks......

please help,i have dell d620 running on windows xp, i noticed around 2 weeks ago it was acting a bit strange, running slow etc and sending dodgy emails, i had avast installed and it never oicked up anythin, i could nt system restore , so i reinstalled windows to see if that would clear it,but it never, i new it was a virus so i downloaded emsisoft anti malware and it found virus.win32nimnul!ik i have done several scans and each time i have put it in quarantine but it gets removed from quaranteen,ive also deleted it several times but it keeps coming back, im by no means an expert with computers so any help would be greatly appriecated ,many thanks

I ran Norton Antivirus and it keeps telling me that it has fixed the problem and to restart the computer. I do that and then I run Norton again and it the same thing. I have tried to read through some of the similar questions, but did not really understand them, I am not sure what a hijack log is and such. With step by step directions, I might be able to do it myself. I am running windows xp. I keep getting a pop up saying that "this link does not exist" but it comes up when I am not trying to click on anything. Any help would be GREATLY appreciated!!

Hi, new here. I'm posting because my computer started getting hit with random pop-ups, again, mostly whenever I'd run Mozilla Firefox. I ran Malwarebytes and found about 13 infections of the Trojan.Vundo.h virus. I was able to remove most of the files after the scan and some files after rebooting, however, I'm still concerned there might be some trace of the virus left getting through a backdoor of some sort.DDS (Ver_09-09-29.01) - NTFSx86 Run by Marc Ravelo at 12:36:15.10 on Fri 10/09/2009Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.218 [GMT -7:00]

Hello JSpayde,I (as well as MicroSoft, McAfee and Symantec) recommend that you DO NOT have more than one anti virus product installed and running on your computer at a time. The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to cause "false alarms". It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause:1) False Alarms: When the anti virus software tells you that your PC has a virus when it actually doesn't.2) System Performance Problems: Your system may lock up due to both products attempting to access the same file at the same time.Therefore please go to add/remove in the control panel and remove one of these. AVG Anti-Virus Free or avast! antivirus. ******************Download Security Check by screen317 from here or here.Save it to your Desktop.Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.A Notepad document should open automatically called checkup.txt.Please post the contents of that document. ****************** Download random's system information tool (RSIT) by random/random from here and save it to your desktop.Double click on RSIT.exe to run RSIT.Select Files and Folders created in last 3 monthsClick Continue at ... Read more

I am encountering this problem this past weeks. It seems that something is creating a virus over and over again on my system. I run a Malwarebytes fullscan and my AntiVirus is Avira premium but to no avail the problem keeps coming back.

My Antivirus blocks this kind of virus(12.exe,96.exe,36.exe,igfxdkp2.exe) over and over again in different intervals.

Malwarebytes also detect 3 infection but after i restart the infection is back again.

I hope someon can help me

Answer:Virus keeps coming back and cannot detect the root of it

Hello, I moved you to the Am I Infected forum as you didn't post a DDS log that is required there. So lets do this next and see what we have here.Is this XP or another and what Antivirus is installed?Please post your MBAM log.The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.Next run an Online scan....Please perform a scan with Eset Online Antiivirus Scanner.This scan requires Internet Explorer,Opera or Firefox to work. Vista/Windows 7 users need to run Internet Explorer as Administrator.To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run As Administrator from the context menu.Click the green button.Read the End User License Agreement and check the box: Check .Click the button.Accept any security warnings from your browser.Check Check Remove found threats and Scan potentially unwanted applications. (If given the option, choose "Quarantine" instead of delete.)Click the Start button.ESET will then download updates for itself, install itself, and begin scanning your computer.If offered the option to get information or buy software at any point, just close the window.The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and win... Read more

I have an acer aspire 5670 running windows XP professional. I've had it for over 3 years now and never had 1 problem or one spyware...out of nowhere...its infected and I cant get it fixed. I have hijackthis, combofix, malwarebytes, spybot s&d, spywareblaser, superantispyware, atf cleaner, and antivir antivirus on my computer. Ive cleaned out the pc countless times, including deleting all cache and prefetch and temp data...ive cleared out all suspicious keys and paths in the registry. Also, there are multiple hidden objects on my computer (26 to be exact) that I cannot find, view or delete...but I did block them with the group policy editor. Everything I've done only seems to be a temporary fix.

There have been multiple issues with things such as antivirus pro 2007/2009, etc (other fake spyware programs). My google links or other search engine links are all redirected to other sites. After I clean the pc...it fixes the issue but only for a short while. Also, most of my processes in my task manager are UPPERCASE...after i clean the pc...again, they go back to lowercase but only for a short while. Ive deleted spyware with names such as svchast, and multiple other trojans. I'm pretty computer savvy and fix computers in my spare time....so I'm able to stop the issue, but it seems I cannot find the source of my problem and it just keeps coming back. I am going to include a log from hijackthis and anything you can do to help would be greatly appreciated... Read more